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Abstract. We present a deep embedding of Bellantoni and Cook's syntactic characterization of poly- 
time functions. We prove formally that it is correct and complete with respect to the original char- 
acterization by Cobham that required a bound to be proved manually. Compared to the paper proof 
by Bellantoni and Cook, we have been careful in making our proof fully contructive so that we obtain 
more precise bounding polynomials and more efficient translations between the two characterizations. 
Another difference is that we consider functions on bitstrings instead of functions on positive integers. 
This latter change is motivated by the application of our formalization in the context of formal secu- 
rity proofs in cryptography. Based on our core formalization, we have started developing a library of 
polytime functions that can be reused to build more complex ones. 
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■ 1 Introduction 

u 

When formally verifying algorithms, one often proves their correctness and termination, but complexity is 
rarely considered. However proving correctness or termination of an algorithm that is not executable in 
polynomial time is of little practical use. Even at a theoretical level, it might not make much sense. For 
£Nl ! instance, in the context of security proofs one has to restrict the computational power of the adversary 

in the model. Indeed, an adversary with unlimited computational power could break most cryptographic 
schemes without actually making them insecure. 

One way to take into account complexity in formal verification would be to formalize a precise execution 
| model (e.g., Turing machines) and to explicitly count the number of steps necessary for the execution of the 
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algorithm. Such approach would be for the least tedious and would give results depending on the particular 
execution model that is used whereas one is mainly interested in the complexity class independently of a 
particular execution model. A more convenient approach is implicit computational complexity that relates 
programming languages with complexity classes without relying on a particular execution model nor counting 
explicitly execution steps. 

The main motivation behind our work presented in this paper is its application in the context of secu- 
r> ■ rity proofs in cryptography for restricting the computational power of the adversary so that it is feasible. 

Cobham's thesis asserts that being feasible is the same as being computable in polynomial time [8]. Cryp- 
tographers follow Cobham's thesis in their security proofs by assuming that the adversary is computable in 
probabilistic polynomial time (PPT), i.e., executable on a Turing machine extended with a read-only random 
tape that has been filled with random bits, and working in (worst-case) polynomial time. Moreover the class 
of functions computable in polynomial time (a.k.a. polytime functions) has several natural closure properties 
that are convenient for programming. It is in particular closed under composition and a limited kind of 
recursion. Cobham uses those closure properties to characterize the polytime functions independently of any 
particular execution model. Indeed, although in his proof he uses a particular model of Turing machine, he 
claims that it is quite incidental, i.e., the particularities such as the number of tapes or the chosen instruction 
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set have no significant effect on the proof. Even adding an instruction to erase a tape or put back the head 
in its initial position in a single step would not break the proof [8]. 

Unfortunately, the characterization of Cobham is not fully syntactic: a size bound has to be proved on 
the semantics of recursive functions. This thus does not allow for an automatic procedure to check whether 
a program satisfies or not the conditions to be in Cobham's class. About 30 years later, Bellantoni and 
Cook have proposed a syntactic mechanism to control the growth rate of functions and thus eliminate the 
need for an explicit size bound [6]. Being a fully syntactic characterization, membership in the Bellantoni- 
Cook's class can be checked automatically. They show that the existence of an algorithm in Cobham's class 
is equivalent to the existence of an algorithm in Bellantoni-Cook's class that computes the same function. 
This makes their class a sound and complete characterization of polytimc functions: any function definable 
in Bellantoni-Cook's (or Cobham's) class is computable in polynomial time, and any function computable 
in polynomial time is definable in Bellantoni-Cook's (and Cobham's) class. 

Related work. It is not uncommon that a few months or a few years after a so-called security proof 
for a cryptographic scheme is published (e.g., in a top-level conference in cryptography), an attack on this 
same scheme is published. This shows that there is a need for formal verification in cryptography. This 
need is well-known among and acknowledged by cryptographers [11]. As a matter of fact, these last few 
years, several frameworks for machine-checking security proofs in cryptography have been proposed [3,4, 
16]. However, these frameworks either ignore complexity-theoretic issues or postulate the complexity of the 
involved functions. 

Zhang has proposed a probabilistic programming language with a type system to ensure computation in 
probabilistic polynomial time and an equational logic to reason about those programs [25]. In [19], it has 
been applied to security proofs in cryptography. Zhang rely on Hofmann's SLR [13] and its extension to the 
probabilistic case by Mitchell et al. [15]. Those latter work are about functions on positive integers. Like us 
in this paper, Zhang made the move to bitstrings in order to be applicable in the context of cryptography 
where, for example, the bitstrings and 00 are considered different although they would be identified if they 
were interpreted as positive integers. 

In [22], it is acknowledged the need for a "polytimc checker", possibly based on Bellantoni and Cook's 
work, and to be used to check automatically that a reduction between two NP-complctc problems is com- 
putable in polynomial time. In this paper, we provide such polytime checker. 

There are many other criteria to ensure that functions, defined using various programming paradigms, 
are in particular complexity classes. To cite only a few, some propose logical characterizations of polytimc 
functions [14,23] or characterizations in terms of rewrite system [2]. Others deal with different complexity 
classes [1]. To the best of our knowledge, none of those criteria have been applied to cryptography. 

Contributions. In the proof assistant Coq, we have deep embedded the bitstring versions of Cobham and 
Bellantoni-Cook's classes and their relation. Initially, those classes were about functions on positive integers. 
But in the context of cryptography we must deal with bitstrings. The reformulation of Cobham's class with 
bitstrings and the proof that it contains exactly the function computable in polynomial time was done in [24] . 
In a similar way, we have reformulated the definition of Bellantoni-Cook's class. 

We have also extended Bellantoni and Cook's proof that their class is equivalent to Cobham's one by 
making it fully constructive, i.e., we provide explicit algorithms to perform translations between the two 
classes. Those algorithms can be executed in Coq and extracted automatically into a certified translator 
in an ML dialect supported by Coq. We also make more precise the bounding polynomials thus obtaining 
better bounds and a more efficient translation, whereas Bellantoni and Cook overapproximate them since 
they are only interested in their existence and do not try to optimize the translations. 

We have started to implement libraries of functions in Cobham's and Bellantoni-Cook's classes that can 
be used to build more complex functions. 

In the context of security proofs in cryptography, we have shown how to apply our work with the second 
author's toolbox for certifying cryptographic primitives [16-18]. We have also extended Certicrypt [4] with 
support to define in Bellantoni-Cook's class the mathematical functions used by adversaries: The benefit 
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is that one gets for free polynomials that had to be postulated before our extension, thus bringing more 
confidence in the security proof. 

We have proved a new result on Bellantoni-Cook's class: we give explicitly a polynomial that bounds the 
running time of a function in Bellantoni-Cook's class. Such explicit polynomial was necessary to interface 
our library with Certicrypt. 

Outline. We start by some preliminaries in Section 2. In Section 3, we formalize Cobham's and Bellantoni- 
Cook's classes that characterize polytime functions. Then in Sections 4 and 5 we respectively formalize the 
translation from Bellantoni-Cook's class to Cobham's class and vice versa. Finally in Section 6 we show how 
our formalization can be used for the purpose of formalizing security proofs in cryptography. 

2 Preliminaries 

In this section, we introduce our formalization of multivariate polynomials and various notations that will 
be used in the rest of this paper. 

2.1 Multivariate polynomials 

We have implemented a library of positive multivariate polynomials. A shallow embedding of polynomials 
might consist in representing them as a particular class of functions on positive integers. However, since we 
need in Section 4 to translate polynomials into expressions in Cobham's class, we have opted for a deep 
embedding. A polynomial is represented as a pair of the number of distinct variables and a list of monomials. 
A monomial is represented as a pair of a constant positive integer and a list of variables and their powers. 
A variable is represented as an integer. For example, the polynomial 3y 3 + 5x 2 y + 16 is represented by 

(2, [(3, [(1,3)]); (5, [(0,2); (1,1)]); (16, [])]) 

where the leftmost 2 is the number of variables, and variables x and y are respectively represented by and 
1. We chose to put the number of variables in the representation of a polynomial so as to easily inject a 
polynomial using m variables into the class of polynomials with n variables when n > m. Otherwise we would 
have to add artificial occurrences of variables with coefficient 0. In the library we provide utility functions 
in Coq to create and combine polynomials (constant, variables, addition, multiplication, composition...). 
We use those functions when building a polynomial. Those functions are parameterized by the number of 
variables, but we will omit this parameter in the rest of the paper since it will be clear from context. We 
write Xo, . . . , £ n -i f° r the variables of a polynomial with n variables. If P is a polynomial with m variables 
and Q = (Q , . . . , Q m -i) is a vector of polynomials with n variables, we write P(Q) for the polynomial with 
n variables defined by substituting each variable Xi in P by the polynomial Qi and by applying distributivity 
of multiplication over addition and associativity of addition. 

In [10], multivariate polynomials are represented in sparse Horner form and thus allow for a more efficient 
numerical evaluation of polynomials. Since we do not intend to numerically evaluate polynomials, we have 
opted for a more direct approach. This will moreover facilitate the connection with univariate polynomials 
in Certicrypt (cf. Section 6.2). 

2.2 Notations 

We list some notations that will be useful to present the results and their proofs in a concise manner. 
However, the meaning of those notations should be clear from the context. We write: 

— xb for the concatenation of the bitstring x with a bit b in the least significant position; 

— x for a vector (x , . . . , x n -\) (for some n); 

— x, y for the concatenation of vectors x and y; 
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— \x\ for the length of a vector x: 

— \x\ for the size of a bitstring x; 

— \x\ for the vector of sizes of the components of the vector x, i.e., if x = (xo, ■ ■ ■ , x n -i) then \x\ = 
(\x \, . . . , \x n -i\); 

— f(x) for the vector of applications of / to each component of the vector x, i.e., if x = (xo, ■ ■ ■ , x n -i) then 
f(x) = (f(xo),---,f(x„-i))] 

— f(x) for the vector of applications of each component of the vector / to x, i.e., if / = (fo, • ■ • , f n -i) then 

7(x) = {fo{x),...,f n -l(x)}. 

3 Characterizing polytime functions 

In this section, we explain our deep embedding of the bitstring versions of Cobham's and Bellantoni-Cook's 
classes, and state some of their bounding properties. 



3.1 Cobham's class 

In a seminal paper [8], Cobham characterized polytime functions as the least class of functions containing 
certain initial functions and closed under composition and a certain kind of recursion. However this char- 
acterization is not fully syntactic as it requires a size bound to be proved on the semantics of recursive 
functions. 

We use the reformulation of Cobham's class taken from [24] and that deals with bitstrings instead of 
positive integers as it was the case in [8] . 

The syntax of Cobham's class C is given by: 

C ::~ O constant zero 

77™ projection (i < n) 

Sb successor 
# smash 
Comp™ hg composition 
Rec g h hi j recursion 

where i and n are positive integers, & is a bit, g, h, ho, hi and j are expressions in C, and g is a vector of 
expressions in C. Well-formed expressions e in C have a well defined arity -4(e) given by: 

A(O) = A(n?) = n A(S b ) = l A(#) = 2 



A(h) = a h |ff| = a h Mg £ g, A(g) = n 
_4(Comp n hg)=n 



A{g) = a g A{h ) = A{hi) — at A(j) = aj an = a g + 2 = aj + 1 
-4(Rec g ho hi j) = aj 

In our implementation, A is a Coq function that computes the arity of a Cobham's expression if it is well 
formed, or returns an error message otherwise. It is helpful when programming and debugging polytime 
functions in Cobham's class. 
The semantics is given by: 

— O denotes the constant function that always returns the empty bitstring e. 

— 77™(a;o, . . . , x n -i) is equal to x t . 

— Sb{x) is equal to xb. 
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— #(x,y) is equal to 1 . . . . . . . 

|a;|.|y| times 

— Comp 71 h g is equal to the function / such that: 

f(x) = h(g(x)) 

— Rec g ho hi j is equal to the function / such that: 

f{z,x) =g{x) 

f(yi,x) = hi(y,f(y,x),x) 

\f{y,x)\ < \j(y,x)\ (RecBounded) 

We illustrate Cobham's class by implementing the binary successor function: 

Rec 

Succ(e) = 1 (Comp Si O) 

Succ(xO) = xl (Comp Si IIq) 

Succ(xl) = Succ(x)0 (Comp So Ilf) 

Succ(x) < xl (Comp Si III) 

We prove in the following proposition that the output of a Cobham's function is bounded by a polynomial 
in the lengths of its inputs. 

Proposition 1. For all f in C with a well-defined arity A{f) and semantics (i.e., satisfying the condi- 
tion RecBounded), there exists a length-bounding monotone polynomial Pole(/) such that: 

\fm < (Poi c (/))(R) 

Proof. By induction on the syntax of /. Our proof is fully constructive in the sense that we define explicitly 
Pole - For any / in C with arity A(f) — n, Polc(/) is the monotone polynomial with n variables Xo, . . . , x n -i 
defined by: 

Polc(O) = 

PolcCTT?) = x % 

Pol c (5 6 ) = zo + l 

Pol c (#) = .xo.xi + 1 



Pol c (Comp"/i3) = (Pol c (h)) (Pol c (g)) 

Pole (Rec 5 h hi j) = Po\ c (j) □ 

We define a translation Poly — > C from polynomials into Cobham's expressions. It is such that, for any 
polynomial P, Poly— >C(P) is a unary encoding of P in Cobham's class, i.e., 

\Po\y^C(P)(x)\=P(]x~\) 



3.2 Bellantoni-Cook's class 

Bellantoni and Cook have given a fully syntactic characterization of polytime functions that does not require 
any explicit mechanism to count the number of computation steps [6]. The control of the growth rate 
of functions is achieved by distinguishing two kinds of variables: the "normal" and "safe" ones written 
respectively on the left and right side of a semicolon such as: 

f{xo, • • - , x n —i 1 x n , . . . , x n -\- s —i) 

s / s / 

^^^^^^^^^^^^^ 

normal safe 
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The syntax of Bcllantoni-Cook's class B is given by: 



B 



Sb 

pred 
cond 

cornp"' 5 hgWgs 
rec g ho h\ 



constant zero 

projection (i < n + s) 

successor 

predecessor 

conditional 

composition 

recursion 



where i, n and s are positive integers, b is a bit, g, h, ho and hi are expressions in B, and ~g~N and ~gs are 
vectors of expressions in B. Note that, contrary to Cobham's class, a bounding function j is not needed for 
recursion. Well-formed expressions e in B have well defined arities A(e) (counting separately the numbers of 
normal and safe variables) given by: 



.4(0) = (0,0) A(n?')- 
A(pred) = (0, 1) 



(n,s) A{s b ) = {0,1) 
4(cond) = (0,4) 



A{h) = (n h , s h ) \gW\ = n h \gs\ = s h 
Vg € gW, A(g) = (n, 0) Vg 6 gg, 4(g) = (n, s) 
4(comp n ' s hg^g^) = (n,s) 



A(g) = {n g ,s g ) A{h ) = A{hi) = (n h ,s h ) n h = n g + 1 s h = s g + 1 
4,(rec g ho hi) — (n h , s g ) 

This function A is implemented like the one for Cobham's class. 
The semantics is given by: 

— denotes the constant function that always returns the empty bitstring e. 

— 7t™' s (:eo, ■ • • ,x n -i;x n , . . . ,x n+s _i) is equal to x { . 

— Sb(;x) is equal to xb. 

— pred(;e) = e and pred(-.xi) = x. 

— cond(; e, x, y, z) = x, cond(; w0, x, y,z) — y and cond(; wl, x, y, z) = z. 

— comp n,s hg~N~gs is equal to the function / such that: 

f(x;y) = h(gW(x;);gs{x;y)) 

Note here that the functions in ~g~N only have access to normal variables. 

— rec g ho h\ is equal to the function / such that: 

f(e,x;y) = g{x;y) 

f(zi,x;y) = hi(z,x; f(z,x;y),y) 

Note here that the result of the recursive call f(z,x;y) is passed at a safe position. This prevents it to 
be used as the recursion argument in a nested recursion. 

One can see that, contrary to Cobham's class C, there is no size bound to be proved on recursive functions: 
Bellantoni-Cook's class B is syntactically defined. 

Reader may have noticed that our definition of Bcllantoni-Cook's class is slightly different from the one 
in [6]. First, here the conditional cond distinguishes between three cases (empty, even or odd bitstrings), 
whereas in [6] the empty bitstring is treated as an even one. Second, here the base case for recursion is the 
empty bitstring, whereas in [6] it is any bitstring whose interpretation as a positive integer is 0, i.e., the 
empty bitstring or any bitstring made of any number of bits only. We made those changes because in 
cryptography one wants to distinguish, for example, bitstrings and 00 although they would have the same 
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interpretation in terms of positive integers. These changes are validated by the results we proved in the rest 
of the paper where we translate our Bellantoni-Cook's expressions to/from the bitstring version of Cobham's 
expressions [24]. 

The following examples illustrate how one can program addition and multiplication in Bellantoni-Cook's 
class and their respective arity: 



plus := rec 

w ) 

(comp 1 ' 2 Si () (irl- 2 )) 
(comp 1 ' 2 Si () (irl- 2 )) 

A(plus) = (1,1) 



mult := rec 

(comp 1 - O (> ()) 
(comp 1 ' 2 plus (7T 2,0 ) (Tiy 1 )) 
(comp 1 ' 2 plus (7T 2,0 ) (7T 2 ' )) 

A(mult) = (2,0) 



We prove in the following proposition that the output of a Bellantoni-Cook's function is bounded by 
the sum of a polynomial in the lengths of its normal inputs and the size of its longest safe input. This is 
so because syntactic restrictions ensure that we cannot increase the lengths of safe inputs by more than an 
additive constant that will be taken into account in the polynomial part. 

Proposition 2 (Polymax Bounding). For all f in B with well-defined arities A(f), there exists a length- 
bounding monotone polynomial Po\ B (f) such that, for all x and y: 



\f(x;y)\ < (Pol B (/))(|.T|) + max l |y l | 

Proof. By induction on the syntax of /. Our proof is fully constructive in the sense that we define explicitly 
Polg. For any / in B with arity A(f) — (n, s), 
x n -\ defined by: 



Pol B (/) is the monotone polynomial with n variables x , . . . 



Pols(O) 
Pol e « l 



= 



') 



Po\ B (s b ) 

Polg(pred) 

Polg(cond) 

Pol B (comp n ' s hgTgs) 
Polg(rec g ho hi) 



Xi if i < n 

otherwise 

1 







Po\ B (h)(Po\ B {g N )) +E(Po\ B (gs)) 
shift(Pol B (ff)) + x .(Po\ B (h ) + Pol B (fti)) 



where shift(P) is the polynomial P with each variable Xi replaced by x i+ i. 



□ 



We define a translation Poly — > B from polynomials into Bellantoni-Cook's expressions. It is such that, 
for any polynomial P, Poly -^B(P) is a unary encoding of P in Bellantoni-Cook's class, i.e., 

|Poly->iB(P)(3s)| - P(R) 

In order to ease further development of functions in Bellantoni-Cook's class, we provide a mechanism 
to infer automatically the optimal values for the parameters n and s appearing in 7r™' s and comp"' s thus 
obtaining more elegant code. This is implemented with a new syntax £>i n f for Bellantoni-Cook's class where 
arities do not appear in the syntax: 



Bi 



nf 



::= 



^normal 

7T Safe 

"t 

Sb 

pred 
cond 

comp h gWgs 
rec g ho hi 



constant zero 

projection (normal) (i < n) 

projection (safe) (i < s) 

successor 

predecessor 

conditional 

composition 

recursion 
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We have validated this new syntax by providing certified translations between B ln f and B. When translating 
from £>i n f to B, we can force arities to be larger that the minimal ones that are inferred. 

4 Compiling Bellantoni-Cook into Cobham 

In this section, we provide our formalization of the translation of expressions in Bellantoni-Cook's class into 
expressions in Cobham's class. The main result is stated in the following theorem. 

Theorem 1. For all f in B with well defined arities A(f), there exists f in C such that for all vectors of 
bitstrings x andy, f(x;y) = f'(x,y). 

Proof. The proof is split into two inductions on the syntax of /: The first one to prove the equality and the 
second one to prove that the condition RecBounded is satisfied. Our proof is fully constructive in the sense 
that we define explicitly the translation B — >• C from B to C and define /' as B—>C(f). The difficulty of the 
proof is in the generation of a Cobham expression that satisfies the condition RecBounded, and to build the 
polynomial j that bounds the recursive calls. 

— The first cases are immediate: 

B->C(0) 
B^C(ir?' s ) 
B^C(s b ) 

— pred and cond are translated by using Rec: 

i3^C(pred) = Rec O 77 2 77^ 77 1 
B^C(cond) = Rec 77,? 77f 77f 
Comp 4 # ( 

Comp 4 Si (77 4 >; 

Comp 4 # ( Comp 4 Si <77 4 ); Comp 4 Si (77 4 ) )) 

— For comp"' 5 h ~gN ~g~s we need to add dummy variables, since the functions in g~N do not take the safe 
arguments as parameters. We need to transform these functions in ~g~N into functions with arity n + s. 
dummies s (written in C) add s dummy variables that are ignored: 

B^C{comp n ' s hgWIs) = Comp Il+s B^C(h) 

(dummies., (B^C(g N )), B->C(jg s j^ 

— For rec g ho hi we need to change the order of the arguments passed to the translations of ho and hi. 
Indeed, while in B the recursive argument is put after the normal ones, in C it should be the second 
argument. This reordering is done by the function move_arg 2 rl (written in C). Moreover, we need to 
derive a suitable bound for the fourth argument of Rec. By Proposition 2 and the fact that the sum 

\x n \ + h |.x„ +s _i| of the sizes of the safe arguments is greater than or equal to the maximum size of 

the safe arguments, we can take the polynomial Pol#(rec g ho h\) + x n ^ h x n+s -i for the bound. We 

then use Poly^C to encode it in C: 

B— >C(rec g h hi) = Rec 

B^C(g) 

move_arg 2 „ (B^C(h )) 
move.arg 2 „ (B->C(fti)) 
Poly^C ( Pol *( rec 9 h o hi) + \ a 



= o 
= s b 
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5 Compiling Cobham into Bellantoni-Cook 

Contrary to Bellantoni-Cook's class B, one does not distinguish between normal and safe variables in Cob- 
ham's class C. In C it is possible to recur on any argument, whereas in B one can only recur on normal 
arguments. Thus, when translating from C to B, we must introduce a distinction and deal appropriately with 
recursion. In our formalization, we follow Bellantoni and Cook's translation scheme by assuming that all the 
arguments are safe and adding an artificial normal argument w whose length is large enough to ensure enough 
recursion steps. This gives us the lemma below. After that, we will get rid of w thus obtaining Theorem 2. 

Lemma 1 (Recursion Simulation). For all function f in C with well-defined arity A(f) = n and seman- 
tics (i.e., satisfying the condition RecBounded ), there exists an f in B and a monotone polynomial Polc->g(/) 
such that for all vector of bitstrings x and bistring w such that Po\c-^b{J){\ x \) ^ \ w \> /(X) = f'( w :^)- 

Proof. By induction on the syntax of /. Our proof is fully constructive in the sense that we define explicitly 
the polynomial Polc->s(/) and the translation C— >B, and define /' as C— >£>(/). Our translation is such that 
if A(f) = n then A(f') = (l,n), i.e., /' takes one normal argument and n safe arguments. 

— The first cases for C— >B(f) are immediate. We just have to make sure that the arities are right: 

C^B(O) 

c^B(n?) 

C^B(S b ) 
C^£(Comp™ hg) 

Polc->g(/)(|a;|) is also immediate for these first cases: 

Polc-^(O) = 

Polc-^(^) = 

Polc-*(S 6 ) = 

Pol c _^(Comp™ h g) = Pol c _^(/i)(Pol c (<7)) + ^Pol c _^(<7) 

9 eg 

The Tightness of the case for Comp follows by induction hypothesis and Proposition 1. 

— For the case of Rec g ho hi j, we follow [6] in defining intermediate functions in B. However we need less 
of them since our definition of / below is simpler. We define P in B such that P(a; b) removes the \a\ least 
significant bits of 6, i.e., P(e; b) ~b and P(ai; b) = pred(; P(a; &)). We define Y in B such that Y(z, w; y) 
removes the \w\ — \z\ least significant bits of y, i.e., Y(z, w; y) = P(P'(z, w);y) where P'(a, b; ) = P(a; b). 
P and Y are then used to define / in B: 

f(e,w;y,x) = g(w;x) 

{g'{w;x) if Y{S\z,w;y) is e 

h' Q (w,Y(z,w;y),f(z,w;y,x),x) if Y(Siz,w;y) is even 
h[(w;Y(z,w;y), f(z,w;y,x),x) if Y{S 1 z,w;y) is odd 

where g', h' and h[ are respectively C^B(g), C^B(h ) and C^B(hi). Our definition of / is simpler 
than in [6] because we do not need, like in [6], an additional intermediate function to check whether y is 
an encoding of the positive integer 0. In our case, we stop the recursion when y is equal to e, since the 
cond can check whether the first safe argument is e. 

We then define f'(w;y,x) in B such that it is equal to f(w,w;y,x), and finally: 

C^B(Rec g h h x j) = f (C^B(g)) (C^B(h )) {C^BQiJ) 

For the polynomial, we have: 

Pol c ^(Rec. 9 h x i)(|y|,li|) = (Pol£^(/io) + PolcHB(/ii))(|»|,Polc(/),R)+ 

shift(Polc-#( 5 )(|a:|)) + M + 2 



= comp 1 '™ O () () 

1,71 

= comp 1 '™ s b () (ir{ n ) 

= comp 1 '" (C->B(h)) (tt, 1 ' ) C^B(g) 
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— We can define the smash function # from C in B by a double recursion: 

#'(e,J/) = V 

y) = #'(x, y) (concatenation with a bit 0) 
#(e,J/) = 1 
#(a»,y) = 

In order to implement in B those two recursive functions wc apply the same technique as in the case of Rec 
above. We first obtain a #' in B by constructing /' with g — 7T*' 1 and h = hi = comp 1,3 So () (irl' 3 ). 
We then obtain # in B by applying the same construction of f with g = one 1,1 and h$ = h\ = 

j • / 12//// 1,0\ / 1,2 1,2\ \ 

dummieso,i(comp - # {tt ) {ir 2 ' ;-k{ )). 

For the polynomial, we obtain (after simplification): 

Pol c _^(#) = x a + 2xi + 18 □ 

Finally, the main result of this section is stated in the following theorem. 

Theorem 2. For all f inC with well-defined arity A(f) and semantics (i.e., satisfying the condition RecBounded ), 
there exists f in B such that, for all vectors of bitstrings x, f(x) = fix; ). 

Proof. We define the expression bf in B by: 

Poly->B(Polc-*(/)) 

By definition of Poly^£>, for all vector of bistrings x, \bf(x;)\ = Po\c-^>&(f)(\x\). We can thus apply Lemma 1 
which gives: 

f(x;) = (C^B(f))(b f (x;);x) □ 

Our translation gives a more efficient code than the one in [6] since our definition of bf is more precise: the 
number of recursive calls will be no more than what is strictly necessary. Indeed, authors of [6] use general 
properties of multivariate polynomials to first prove the existence of positive integers a and c such that 

poi c ^(/)(R)<£>,ir+ c 

3 

and then use a and c to build a bf that satisfies the condition of Lemma 1, i.e., PoIc->b(/)(M) < 
Their bf is an overapproximation of Polc->g(/) while our bf is an exact encoding. 



6 Applications 

Security properties in cryptography are often modeled as games, and then security proofs consist in showing 
that no adversary can win the game [7,21]. Most of those proofs are based on computational assumptions 
that state that an effective adversary cannot solve a particular mathematical problem, e.g., Diffic-Hcllman 
problems [9]. Effective adversaries are modeled as strict probabilistic polynomial-time functions, i.e., inde- 
pendently of the random choices, the execution time is bounded by a polynomial in a security parameter 
(typically the length of the inputs) . This means that an adversary can be modeled as a polytimc function 
with, as an additional parameter, a long enough bitstring that will be used by the adversary as its source of 
random bits. 



10 



6.1 Application to the second author's toolbox 

The second author's toolbox is a collection of definitions and lemmas to be used for verifying game trans- 
formations in security proofs [16-18]. With this toolbox, our library can be used as such when applying a 
computational hypothesis. The computational hypotheses can indeed be restricted to adversaries defined in 
Cobham's or Bellantoni-Cook's class (it is not too restrictive since those classes are complete) and adversaries 
appearing in proofs must then be defined in one of those classes. For example, when applying the Decisional 
Diffic-Hellman assumption (DDH) in the security proof for Hashed ElGamal in [16], a new adversary ip is 
built from two adversaries A\ and A 2 : 

<p(X,Y,Z) = def A 2 (r,(X,k),(Y,H k (Z)®7r b (A 1 (r,(X,k)))))=b 

where b, k and r are fixed, © is a the bitwise exclusive or (xor), 7r& is the b th projection (b is equal to 1 or 2), 

and = is the equality test. That Ai and A 2 are polytime is given by hypothesis. We can also assume that 
the hash function is polytime. Being polytime, they are definable in Bellantoni-Cook's class. Moreover, 
projections, exclusive or and equality test are easily defined in Bellantoni-Cook's class. Therefore tp is easily 
definable in Bellantoni-Cook's class and thus it is polytime. 

6.2 Application to Certicrypt 

The application of our library to Certicrypt requires more work but brings noticeable benefits. 

In Certicrypt, a game is a probabilistic imperative program that transforms a distribution of input states 
into a distribution of output states. A state includes a time index. A distribution of states is polynomially 
bounded if there are two (univariate) polynomials p and q respectively bounding the size of the data and the 
time index of each state in the distribution. A program is strict probabilistic polynomial time (PPT) iff: it 
always terminates; and, there exists two (univariate) polynomial transformers F and G such that, for every 
polynomially bounded (by p and q) distribution of input states, the distribution of output states is bounded 
by F(p) (bounding the output size) and q + G{p) (bounding the execution time). Interested reader should 
refer to [4] for further explanation about this way to formalize PPT. 

We have built an interface with Certicrypt made of the following components: 

— The core language of Certicrypt can be extended with user-defined types and functions. But the time 
cost of each function has to be axiomatized in the current implementation of Certicrypt. We have added 
the possibility to include functions that have been defined in our implementation of Bellantoni-Cook's 
class and that are thus automatically proved executable in polynomial time, thus removing the need for 
postulates. 

— We have added a conversion from any multivariate polynomial P given by our library into a univariate 
one \P~\ in Certicrypt that overapproximates P when applied to the maximal argument: This is easily 
done by substituting all variables x , . . . , x n _i in P by a single variable x: 

\P] =def P[xq i-> x; . . . ; x n -i ^ x] 

— In the case of a program c defined in Bellantoni-Cook's class, we can take F{p) to be equal to: 

i + 2rPoi B (c)l(p) 

This is justified by Proposition 2. The multiplication by 2 and and addition of 1 are here because of 
technical reasons coming from Certicrypt. For example, the multiplication by 2 comes from the fact that 
the size of a boolean in Certicrypt is 2. 

— In order to obtain G(p), we need to consider the obvious implementation of Bellantoni-Cook's class on a 
stack machine as described in Section 3.4.2 of [5]. We have equipped the semantics of Bellantoni-Cook's 
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class with a time index that keeps track of the running time. We can then prove that the multivariate 
polynomial Pol t i me below is an upper bound of the running time, and use it to define G(p). 

Poltime(O) = Pol time (tt"' S ) = PoltimeOfc) = Poltime(pre d) = Pol time (cOnd) = 1 

Pol t ime(cOmp"' s hgWgs) = Pol timeO)(Pol g (ffjv))+ 

E(P°ltime(<7Jv)) + E(P°ltime(5s)) 

Pol tim e(rec g h hi) = shift(Pol time (g)) + 

Xo-{ Poltime {ho) + Poltime (/ll)) 

where shift(P) is the polynomial P with each variable Xi replaced by Xi+i. An interesting thing about 
Poltime is that, in the case of comp n,s h gjf ~g~s, it is necessary to consider the size Po\b{9n) 01 the outputs 
of the functions in pjy for the running time of h, but not the size of the outputs of the functions in gg. 
This is so because syntactic restrictions ensure that we cannot increase the lengths of safe inputs by more 
than an additive constant. Finally, for a program c defined in Bcllantoni-Cook's class, we take G{p) to 
be equal to: 

[Poltime (C)l(p) 

The reader might be surprised that in this section we consider a particular implementation of Bcllantoni- 
Cook's class while in introduction we said that we are interested in complexity independently of any execution 
model. The reason is that, although being in Cobham's or Bellantoni-Cook's class guarantees that there exists 
a polynomial bounding the execution time, it does not give any clue on the actual value of this polynomial. 
However Certicrypt requires that we explicitly give such a polynomial. This is why we consider here a 
particular execution model: to be able to compute a polynomial. 

7 Conclusions and future work 

We have formalized Cobham's and Bellantoni-Cook's classes and their relations in the proof assistant Coq. 
Usage of proof assistant led us to formalize parts of the proofs that were only informal in Bellantoni and 
Cook's paper. Our formalization allows to use those classes as programming languages to define any function 
that is computable in polynomial time. We have shown in particular that it can be used to build adversaries 
in security proofs in cryptography. 

Future Work. In order to facilitate the use of our formalization, an important future work is to carry on 
developing a convenient library of polytime functions on bitstrings that can be reused in the construction of 
more advanced polytime functions. It is easy to implement bitwise operations such as bitwise XOR, NOT, 
AND, etc. However, when implementing numerical operations such as bitwise addition, dealing with the carry 
bit does not fit immediately in Bellantoni-Cook's recursion scheme. One possible solution is to implement 
binary addition, multiplication and other numerical functions in Cobham's class such as in [20], and use 
our automatic translation C— >B (defined in Section 5) to derive their implementations in Bellantoni-Cook's 
class. Also, our approach can be extended with higher order so as to formalize a more powerful programming 
language such as CSLR [25]. 

Acknowledgments. We are grateful to Benjamin Gregoire and Santiago Zanclla Bcguclin for replying so 
quickly to every question we have had on Certicrypt, and for their comments on an earlier draft of this 
paper. We thank anonymous reviewers for their helpful suggestions, all of which improved the paper. 
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